Hello,

i Installed samba 4.6.4 from the IBM toolbox for linux. After that i installed the Centrify suite 2007.1 (express install) and joined our domain.

Next to install adbinproxy.

after this is see i'm joined to the domain (adinfo).

but i have some strange problem. with some of the domain users i can browse the server and with other users it is not possible. If i use smbclient -L localhost -U username i have the same problem.

All the users are in the Allow List

sometimes there is even an error No logon server.

my samba conf below:

[global]
    security = ADS
    realm = EXAMPLE.LOCAL
    workgroup = EXAMPLE
    netbios name = server1
    netbios aliases = server11

    auth methods = guest, sam, winbind, ntdomain
    machine password timeout = 0
    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb

    kerberos method = secrets and keytab
    server signing = auto

    client ntlmv2 auth = yes
    client use spnego = yes

    template shell = /bin/bash
    winbind separator = +
    winbind use default domain = Yes

    winbind enum users = Yes
    winbind enum groups = Yes
    winbind nested groups = Yes

    idmap cache time = 0

    #ignore syssetgroups error = No
    idmap config * : backend  = tdb
    idmap config * : range = 1000 - 2000000000
    idmap config * : base_tdb = 0
    enable core files = false

    allow insecure wide links = yes

    interfaces = en4 172.20.20.99/255.255.254.0
   

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

[samba-test]
    comment = Samba share
    valid users = @"EXAMPLE.LOCAL+Allow Users"
    #invalid users = @"EXAMPLE.LOCAL+Deny List"
    path = /home1/samba-test
    public = yes
    writable = yes
    browsable = no
    wide links = yes
    follow symlinks = yes

adinfo -v
adinfo (CentrifyDC 5.4.1-455)

adinfo -V
Options:
-------
task: all
domain: null
output: null
additional paths: null
user: null
using user's credential cache: No
allow password prompt in kerberos get init credential: Yes
user's credential cache: null
server: null
Local host name:   server1
Joined to domain:  example.local
Joined as:         server1.example.local
Pre-win2K name:    server1
Current DC:        w2008dcbu.example.local
Preferred site:    Default-First-Site
Zone:              Auto Zone
  Retrieving site information from site=any, server='w2008dcbu.example.local'
  Using machine credentials
    Using principal name 'server1$@example.LOCAL'
  Binding to example.local, cache=MEMORY:1100d4bb0
  Searching for (&(samAccountName=server1$)(objectClass=computer))
             in dc=example,dc=LOCAL
  Found computer account: CN=server1,CN=Computers,DC=example,DC=local
Last password set: 2017-07-31 14:58:12 DFT
CentrifyDC mode:   connected
Licensed Features: Disabled

adinfo

Local host name:   server1
Joined to domain:  example.local
Joined as:         server1.example.local
Pre-win2K name:    server1
Current DC:        w2008dcbu.example.local
Preferred site:    Default-First-Site
Zone:              Auto Zone
Last password set: 2017-07-31 14:58:12 DFT
CentrifyDC mode:   connected
Licensed Features: Disabled

Good morning - I have a MAC that is running OS X El Capital 10.11.6, a GEMALTO DLGX4-A CAC card, and Centrify Express installed on my computer. 

Up until a few days ago, I was able to access all CAC enabled websites with no issues - but now I am getting an error that a secure connection cannot be established.  I have not made gotten a new CAC card or made any changes that I can think of to cause this error. 

I have already rebooted my system, unplugged and replugged in the CAC reader, uninstalled and reinstalled the software, verified all certificates. 

I would appreciate any assistance with helping me figure out the issue. 

Thank you!

Teresa 

Is there any need to have smbd running after setting up centrifydc-samba? I inherited a system like this, but find it confusing that there are possibly two different versions of samba running.

Can I just disable these?

Hello,

I recently installed Centrify 2017.1 on a server where we have a local user that Tomcat runs as.  When I log in as an AD user and SU to the user the bash script we have in the environment variables is not working.  But if I log in directly as that local user it works fine.  Here are the differences in the commands echo $PATH.  

Correct one -

[rmwm@rmwmqa02 ~]$ echo $PATH
/usr/lib64/qt-3.3/bin:/opt/jdk1.8.0_60/bin:/usr/share/centrifydc/bin:/usr/localbin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/rmwm/bin

Incorrect 

[rmwm@rmwmqa02 ~]$ echo $PATH
/opt/jdk1.8.0_60/bin:/opt/jdk1.8.0_60/bin:/usr/lib64/qt-3.3/bin:/opt/jdk1.8.0_60/bin:/usr/share/centrifydc/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/sbrennan_admin/bin

The part that makes the script work from any directory is the sbin:/home/rmwm/bin.  Why would that be missing from same user account when I SU.  

Thanks

Hello, I am new to Centrify so please excuse if this is a repeated question.  I have installed Centrify Express on our Ubuntu 14.04 and 16.04 systems.  I am able to successfully login using our AD accounts.  Does installing centrify & joining these systems make them automatically sync time with the AD Domain Controller ?  Before installing centrify , i had hardcoded settings in the local ntp.conf file of each linux machine to point to a time server.  What times to this ntp.conf time server setting then ? Does AD time take precedence over it ?  

Thanks.

Hi,

I have a problem with hosts randomly getting login error or disconnecting from a domain - I am not sure how to read the commands output. When error occurs I am not able to login to hosts with any AD user. Simple adinfo shows that domain is connected (Running in connected mode) and totally fine. However adinfo --diag reveals that there is an error:

===============System Health===================
HealthStatus: Unhealthy
SubSystem: PwdVerify
ErrCount: 19
LastSet: Fri Aug 11 07:38:35 2017
LastReset: Never
LastCode: -1765328340
LastReason: rd_req:Key version is not available
LastOperation: Verify credentials

Additioanlly in binding table there is disconnected status:

Binding Table
$=>adhost02.mydomain.com(MYDOMAIN.COM) disconnected
MYDOMAIN.COM=>adhost02.mydomain.com(MYDOMAIN.COM) disconnected

Is that the same as disconnected from a domain?

 
As in error it shows that the key version is not available I was checking the keytab (klist -k -t -K krb5.keytab) but it shows that last key version is the same as one specified in adinfo --diag. Additionally kvno principal returns the same key version. However the error might have something to do with keys renewal - looking at the occurance times.

When trying to login the return in /var/log/messages is:
fd:27 PAMVerifyPassword2 > audit User 'username' not authenticated: rd_req:Key version is not available
Aug 16 15:17:26 host01 adclient[36738]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|101|PAM authentication denied|5|user=username(type:ad,username@MYDOMAIN.COM) pid=6746 utc=1502896646293 centrifyEventID=24101 DASessID=N/A DAInst=N/A status=DENIED service=sshd tty=ssh client=10.0.1.119 reason=Authentication failure

su username won't work, however kinit username works fine

Additionaly in messages I can also see :
Aug 13 03:45:04 usnj1cddn01 adclient[36738]: INFO AUDIT_TRAIL|Centrify Suite|Trusted Path|1.0|2701|Trusted path denied|5|user=host01$@MYDOMAIN.COM pid=36738 utc=1502595904026 centrifyEventID=23701 DASessID=N/A DAInst=N/A status=DENIED server=cifs/adhost02.mydomain.com@MYDOMAIN.COM reason=No credentials found with supported encryption types
Aug 13 03:45:04 usnj1cddn01 adclient[36738]: WARN <gpworker> gp.processor Can not load policy usnj1cddn01$ from DC. Will execute old policy.
Aug 13 03:45:04 host01 adinfo[47831]: INFO base.nocachemode Disabling the agent directory cache
Aug 13 03:45:05 host01 adclient[36738]: INFO AUDIT_TRAIL|Centrify Suite|Trusted Path|1.0|2700|Trusted path granted|5|user=host01$@MYDOMAIN.COM pid=36738 utc=1502595905007 centrifyEventID=23700 DASessID=N/A DAInst=N/A status=GRANTED server=ldap/adhost02.mydomain.com@MYDOMAIN.COM

Any clue what is causing the problem? I know that the rejoining host to the domain would solve the problem for 1-2 weeks but then it will most likely happen again.

I also know that the admin password that joined the hosts to the domain got changed - could that be the cause?

Hello,

I am using CentrifyDC express mode on our Ubuntu linux systems.  Is there any command to check if our linux system is successfully syncing time with AD or not ?  I tried the adinfo command , it doesn't show time status.   I know that by default upon joining to domain, all the clients will sync with the Domain Controller. How do i check if the time sync is working correctly or not ?

I tried running "ntpq -p" command but i get a connection refused message. This is intentional as i am not using the local ntp daemon of the linux OS anymore .

Hi,

I'm running Centrify express on a Linux server connected to a Windows domain controller.

I could auto-zone join but I can't authenticate anything.

I tried to run adquery user <username> but got the following respone back:

<username> is not a zone user

How are zones defined? I know that all users are in a different location in the AD.

The domain is: corporate.company.com

For example, the bind user was located under OU=Standard,OU=UserAccounts,OU=Americas,OU=Regions,DC=corporate,DC=company,DC=com

Users we want to authenticate are here:

OU=EMEA,OU=Standard,OU=UserAccounts,OU=Americas,OU=Regions,DC=corporate,DC=company,DC=com

or

OU=US,OU=Standard,OU=UserAccounts,OU=Americas,OU=Regions,DC=corporate,DC=company,DC=com

Best regards Johan

Hi,

I am new to Centrify. We are planning to implement the Centrify Express for the Oracle Linux servers. Our security team is asking the below questions. Can you please clarify the following?

1.) The following Centrify community link talks about enabling auto.schema.allow.(users, groups) in Centrify DirectExpress version 5.1. I think the latest version is 5.4.1. But the Centrify admin guide (page 10) says that we can not use the auto.schema.allow.(users, groups) parameters to filter user or group logins.  Does that mean an uncontrolled access to the Linux servers and anyone in the domain can login to the Linux servers?
Reference:

Community link: http://community.centrify.com/t5/Centrify-Express/sudo-hanging-for-a-long-while-for-centrify-enabled-users/td-p/10166/page/3

Admin guide: https://docs.centrify.com/en/css/suite2017/centrify-express-unix-agent-guide.pdf?_ga=2.170280871.628020187.1503384383-1610122130.1503384383

2.) We have Quest InTrust Real-time Alert for the SOX audit of critical servers. Will there be any conflict between Centrify Express and Quest InTrust Real-time Alert? (I am assuming Centrify is a bridge to Active Directory and won't cause any issue with InTrust).

Thanks,

Prabu

Hello,

We have been logging to the Centrify admin/manager portal using one credential for long time. But I cannot login to that site right now.

Can the admin please look into that and enable me to proceed with the login?

This is relatively urgent.

Regards,
Ganesan

hi,

I have finally got Centrify Express to work for most cases on Ubuntu laptops. Facing two different sets of problems and would be great to get some advice on them. 

1. The laptops connect to AD through VPNs but they are not always on VPN. From what I have seen if the VPN is on and a login session is simulated, the latest settings are always fetched. But when VPN is off, it uses cached credentials. The question I had was other than the login event, when does the client fetch the settings? I assume adgpupdate is not supported for Express - so is there some standard periodicity for refresh? The problem I have is when users log out and log back in, their VPN is gone and so if that is the only event triggering a refresh it may never work for some users. 

2. I am having a tough time understanding which all policies get applied on Ubuntu laptops. I did some searching and saw many posts around group-policies/templates etc. But our requirement is fairly basic - for eg, locking screen with idle time of 2 minutes and forcing a password-unlock. If I set those policies in AD through "Group Policy Management Editor > User configuration > Policies > Administrative Templates > Control Panel > Personalization > Screensaver timeout" I do not see them getting applied on Ubuntu. I do not have a /var/centrifydc/reg folder too. So does it mean these kind of policies will not work in the Express edition? Password length etc constraints seem to work fine. Hence the confusion. Please let me know if there are other ways of enforcing a screen lock if not through these group policies. 

Thanks,

Vikram

We are using .  For some reason, we have been getting authentication errors once a minute on our DC.  It has been on the domain for almost two years now.  These errors may have been going on that long.

Jul 14 10:03:54 DC1.domain.local MSWinEventLog<009>2<009>Security<009>191929351<009>Fri Jul 14 10:03:52 2017<009>4776<009>Microsoft-Windows-Security-Auditing<009><009>N/A<009>Audit Failure<009>DC1.domain.local<009>14336<009>The computer attempted to validate the credentials for an account.<013><010><013><010>Authentication Package:<009>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0<013><010>Logon Account:<009>COMPUTER-NAME$<013><010>Source Workstation:<009>COMPUTER-NAME<013><010>Error Code:<009>0xc000006a

 install.sh ************** rev = 2015.1 (5.2.3-415) *****************
Wed Sep 30 11:32:41 MDT 2015

Hello,

After I configure multiple Office 365 Apps in Centrify portal, I get the following error when acccessing the Office 365 - SharePoint portal for one of my tenants:

Unable to Launch Application

• If yes, how to fix the error?
• If not, how can we Centrify access for multiple tenants (different UPN suffixes)?

Please shed some light on this behavior.

Regards,
Ganesan

Hi there,

I just upgraded my clients to centrify express 2017.1

After the upgrade; all of my clients are now only reporting the "root" user account as GID O (zero) local account on the system.  Before the upgrade, the clients were successfully taking the GID from AD of the user [domain]\root

I have checked in the forums and tried to remove "root" from the user.ignore file and done the adreload and adflush to no avail.  All the systems are still only taking the local root and not the Active Directory account into consideration.  This is a problem.  I can roll back the clients, but that will be time consuming.

What else can be done for this?  Centrify Express.

Thank you.

Hi all,

I am browing through the centrify.conf file to see if there is a way to chage the directory in which user accounts are created. This is because I wanted to write a script to delete all of the existing users after every reboot.

Does anyone know how to do this or if the .conf file is configurable to allow this? Many thanks!

Hello and thanks in advance for your help!

I am currently trying to implement a samba share on a Centos 7.3 server. I installed the latest centrify express package and ran the adbindproxy.pl script apparently successfully. But when testing with smbclient, I am only able to list the shares through anonymous login.

smbclient -L server-name.domain.com -U jay.baker

returns `NT_STATUS_LOGON_FAILURE`

Here's the relevant bit from the samba logs:

[2017/07/17 17:00:28.953020,  2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [jay.baker] -> [jay.baker] -> [DOMAIN\jay.baker] succeeded
[2017/07/17 17:00:28.953075,  3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/07/17 17:00:28.953104,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2017/07/17 17:00:28.953156,  3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/07/17 17:00:28.953170,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2017/07/17 17:00:28.953264,  1] ../source3/auth/token_util.c:935(create_token_from_username)
  lookup_name_smbconf for DOMAIN\jay.baker failed
[2017/07/17 17:00:28.953283,  1] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_NO_SUCH_USER
[2017/07/17 17:00:28.953349,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2017/07/17 17:00:28.958716,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (failed to receive smb request)
[2017/07/17 17:00:28.978007,  3] ../source3/lib/util_procid.c:54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory

To me, it looks like authentication with our domain controllers is succeeding, but then samba thinks the user isn't authorized.

Here's our current samba config at /etc/samba/smb.conf:

#
# This file was generated by Centrify ADBindProxy Utility
#
[global]
    security = ADS
    realm = DOMAIN.COM
    workgroup = DOMAIN
    netbios name = server-name

    auth methods = guest, sam, winbind, ntdomain
    machine password timeout = 0
    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
    #valid users = @"DOMAIN\Domain Admins"

    log level = 3
    #
    # Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
    # with "kerberos method".  The directive "kerberos method = secrets and keytab"
    # enables Samba to honor service tickets that are still valid but were
    # created before the Samba server's password was changed.
    #
    kerberos method = secrets and keytab

    #
    # Setting "client use spnego principal" to true instructs SMB client to 
    # trust the service principal name returned by the SMB server. Otherwise, 
    # client cannot be authenticated via Kerberos by the server in a different
    # domain even though the two domains are mutually trusted.
    #
    #client use spnego principal = true

    #
    # Setting send spnego principal to yes .
    # Otherwise, it will not send this principal between Samba and Windows 2008
    #
    #send spnego principal = Yes

    # If your Samba server only serves to Windows systems, try server signing = mandatory.
    server signing = auto

    client ntlmv2 auth = yes
    client use spnego = yes 


    template shell = /bin/bash

    winbind use default domain = Yes

    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes

    idmap cache time = 0

    #ignore syssetgroups error = No
    idmap config * : backend  = tdb
    idmap config * : range = 1000 - 200000000
    idmap config * : base_tdb = 0
    enable core files = false

    # Disable Logging to syslog, and only write log to Samba standard log files.
    #syslog = 0

[samba-test]
    path = /samba-test
    public = yes
    read only = No
    valid users = Domain\domain_admins
    force group = Domain\domain_admins
    guest ok = Yes

I have tried a lot of different permutations of this file lol, pretty much any samba stackoverflow or blog post I could find and no matter what I try, I get the same main error of:

lookup_name_smbconf for DOMAIN\jay.baker failed

I'm assuming it's just something stupidly simple that I haven't yet discovered in my samba config. If anyone has seen the same problem, or has any suggestions, any help would be greatly appreciated!

Are there any benefits of using centrify sshd over local ssh? Please share

Hi,

I have a CentOS 7 server set up and running with x2go so that I can access xfce remote desktops via an SSH tunnel. I can log in fine using x2go with a local user account. I've just installed Centrify Express as I want to allow AD users to also log in using x2go. I can ssh in to the server as an AD user without any problem, however, when I try to log in using x2go the session fails. If I debug on the x2go client side I get the following:

Info: Proxy running in client mode with pid '11430'.

Session: Starting session at 'Sun Jul 23 10:11:55 2017'.

Info: Connecting to remote host 'localhost:51231'.

Info: Connection to remote proxy 'localhost:51231' established.

"

x2go-DEBUG-../src/sshprocess.cpp:109> New TCP connection.

x2go-DEBUG-../src/sshprocess.cpp:114> New socket: 19

x2go-DEBUG-../src/sshmasterconnection.cpp:1516> Creating new channel.

x2go-DEBUG-../src/sshmasterconnection.cpp:1520> New channel:0x7fc283e77030

x2go-DEBUG-../src/sshmasterconnection.cpp:1526> Forwarding new channel, local port: 49880

x2go-DEBUG-../src/sshmasterconnection.cpp:1544> New channel forwarded.

x2go-DEBUG-../src/sshmasterconnection.cpp:1703> "channel_write failed." - "Remote channel is closed"

x2go-DEBUG-../src/sshprocess.cpp:463> I/O error: "channel_write failed."" - Remote channel is closed" (2).

x2go-DEBUG-../src/sshmasterconnection.cpp:1746> EOF sent.

x2go-DEBUG-../src/sshmasterconnection.cpp:1750> Channel closed.

x2go-DEBUG-../src/onmainwindow.cpp:6014> Proxy wrote on stderr: "Error: The remote NX proxy cl"

x2go-DEBUG-../src/onmainwindow.cpp:6014> Proxy wrote on stderr: "osed the connection.

Error: Failure negotiating the session in stage '7'.

Error: Wrong version or invalid session authentication cookie.

Session: Terminating session at 'Sun Jul 23 10:11:55 2017'.

Session: Session terminated at 'Sun Jul 23 10:11:55 2017'.

"

x2go-DEBUG-../src/onmainwindow.cpp:5871> Deleting Proxy.

x2go-DEBUG-../src/onmainwindow.cpp:5920> Waiting for proxy to exit.

x2go-DEBUG-../src/onmainwindow.cpp:5940> Checking exit status.

On the server side if I have sshd in debug mode the AD user gets authenticated but then connection to the port that x2go randomly chooses on the server is refused (port 48957 on this occasion).

Jul 23 10:16:51 server-hostname sshd[28472]: debug1: Forked child 16149.

Jul 23 10:16:51 server-hostname sshd[16149]: Set /proc/self/oom_score_adj to 0

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: inetd sockets after dupping: 3, 3

Jul 23 10:16:51 server-hostname sshd[16149]: Connection from <client-ip> port 60287 on <server-ip> port 22

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: Client protocol version 2.0; client software version libssh-0.7.3

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: no match: libssh-0.7.3

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: Enabling compatibility mode for protocol 2.0

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SELinux support enabled [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: permanently_set_uid: 74/74 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SSH2_MSG_KEXINIT sent [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SSH2_MSG_KEXINIT received [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: kex: client->server aes256-ctr hmac-sha2-256 none [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: kex: server->client aes256-ctr hmac-sha2-256 none [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: kex: curve25519-sha256@libssh.org need=32 dh_need=32 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: kex: curve25519-sha256@libssh.org need=32 dh_need=32 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SSH2_MSG_NEWKEYS sent [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SSH2_MSG_NEWKEYS received [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: KEX done [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: userauth-request for user <AD-username> service ssh-connection method none [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: attempt 0 failures 0 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: PAM: initializing for "<AD-username>"

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: PAM: setting PAM_RHOST to "<client-ip>"

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: PAM: setting PAM_TTY to "ssh"

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: userauth-request for user <AD-username> service ssh-connection method keyboard-interactive [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: attempt 1 failures 0 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: keyboard-interactive devs  [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: auth2_challenge: user=<AD-username> devs= [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: kbdint_alloc: devices 'pam' [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: Postponed keyboard-interactive for <AD-username> from <client-ip> port 60287 ssh2 [preauth]

Jul 23 10:16:51 server-hostname sshd[16153]: debug1: do_pam_account: called

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: PAM: num PAM env strings 0

Jul 23 10:16:51 server-hostname sshd[16149]: Postponed keyboard-interactive/pam for <AD-username> from <client-ip> port 60287 ssh2 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: do_pam_account: called

Jul 23 10:16:51 server-hostname sshd[16149]: Accepted keyboard-interactive/pam for <AD-username> from <client-ip> port 60287 ssh2

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: monitor_child_preauth: <AD-username> has been authenticated by privileged process

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: monitor_read_log: child log fd closed

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SELinux support enabled

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: PAM: establishing credentials

Jul 23 10:16:51 server-hostname sshd[16149]: pam_unix(sshd:session): session opened for user <AD-username> by (uid=0)

Jul 23 10:16:51 server-hostname sshd[16149]: User child is on pid 16161

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: PAM: establishing credentials

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: permanently_set_uid: 1619015552/1619015552

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: Entering interactive session for SSH2.

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: server_init_dispatch_20

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: server_input_channel_open: ctype session rchan 43 win 64000 max 32768

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: input_session_request

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: channel 0: new [server-session]

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: session_new: session 0

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: session_open: channel 0

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: session_open: session 0: link with channel 0

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: server_input_channel_open: confirm session

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: server_input_channel_req: channel 0 request exec reply 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_by_channel: session 0 channel 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_input_channel_req: session 0 req exec

Jul 23 10:16:52 server-hostname sshd[16161]: Starting session: command for <AD-username> from <client-ip> port 60287

Jul 23 10:16:52 server-hostname sshd[16149]: debug1: session_new: session 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: Received SIGCHLD.

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_by_pid: pid 16162

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_exit_message: session 0 channel 0 pid 16162

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_exit_message: release channel 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: server_input_channel_open: ctype session rchan 44 win 64000 max 32768

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: input_session_request

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: channel 1: new [server-session]

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_new: session 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_open: channel 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_open: session 1: link with channel 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: server_input_channel_open: confirm session

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_by_channel: session 0 channel 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_close_by_channel: channel 0 child 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_close: session 0 pid 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: channel 0: free: server-session, nchannels 2

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: server_input_channel_req: channel 1 request exec reply 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_by_channel: session 1 channel 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_input_channel_req: session 1 req exec

Jul 23 10:16:52 server-hostname sshd[16161]: Starting session: command for <AD-username> from <client-ip> port 60287

Jul 23 10:16:52 server-hostname sshd[16149]: debug1: session_new: session 0

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: Received SIGCHLD.

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_by_pid: pid 16241

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_exit_message: session 1 channel 1 pid 16241

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_exit_message: release channel 1

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_by_channel: session 1 channel 1

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_close_by_channel: channel 1 child 0

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_close: session 1 pid 0

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: channel 1: free: server-session, nchannels 1

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: server_input_channel_open: ctype direct-tcpip rchan 45 win 64000 max 32768

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: server_request_direct_tcpip: originator localhost port 51068, target localhost port 48597

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: connect_next: host localhost ([::1]:48597) in progress, fd=8

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: channel 0: new [direct-tcpip]

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: server_input_channel_open: confirm direct-tcpip

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: channel 0: connection failed: Connection refused

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: connect_next: host localhost ([127.0.0.1]:48597) in progress, fd=9

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: channel 0: connection failed: Connection refused

Jul 23 10:16:57 server-hostname sshd[16161]: error: connect_to localhost port 48597: failed.

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: channel 0: free: direct-tcpip, nchannels 1

Jul 23 10:16:57 server-hostname sshd[16161]: channel_by_id: 0: bad id: channel free

Jul 23 10:16:57 server-hostname sshd[16161]: Disconnecting: Received ieof for nonexistent channel 0.

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: do_cleanup

Jul 23 10:16:57 server-hostname sshd[16149]: debug1: do_cleanup

Jul 23 10:16:57 server-hostname sshd[16149]: debug1: PAM: cleanup

Jul 23 10:16:57 server-hostname sshd[16149]: debug1: PAM: closing session

Jul 23 10:16:57 server-hostname sshd[16149]: pam_unix(sshd:session): session closed for user <AD-username>

Jul 23 10:16:57 server-hostname sshd[16149]: debug1: PAM: deleting credentials

I'm pretty certain this is an issue with my Centrify Express settings because I previously had PBIS Open installed (now completely removed) and it worked with x2go without any issues. Can anyone provide any suggestions as to why the connection might be refused? Many thanks in advance.

All the best

Chris 

Hello,

i Installed samba 4.6.4 from the IBM toolbox for linux. After that i installed the Centrify suite 2007.1 (express install) and joined our domain.

Next to install adbinproxy.

after this is see i'm joined to the domain (adinfo).

but i have some strange problem. with some of the domain users i can browse the server and with other users it is not possible. If i use smbclient -L localhost -U username i have the same problem.

All the users are in the Allow List

sometimes there is even an error No logon server.

my samba conf below:

[global]
    security = ADS
    realm = EXAMPLE.LOCAL
    workgroup = EXAMPLE
    netbios name = server1
    netbios aliases = server11

    auth methods = guest, sam, winbind, ntdomain
    machine password timeout = 0
    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb

    kerberos method = secrets and keytab
    server signing = auto

    client ntlmv2 auth = yes
    client use spnego = yes

    template shell = /bin/bash
    winbind separator = +
    winbind use default domain = Yes

    winbind enum users = Yes
    winbind enum groups = Yes
    winbind nested groups = Yes

    idmap cache time = 0

    #ignore syssetgroups error = No
    idmap config * : backend  = tdb
    idmap config * : range = 1000 - 2000000000
    idmap config * : base_tdb = 0
    enable core files = false

    allow insecure wide links = yes

    interfaces = en4 172.20.20.99/255.255.254.0
   

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

[samba-test]
    comment = Samba share
    valid users = @"EXAMPLE.LOCAL+Allow Users"
    #invalid users = @"EXAMPLE.LOCAL+Deny List"
    path = /home1/samba-test
    public = yes
    writable = yes
    browsable = no
    wide links = yes
    follow symlinks = yes

adinfo -v
adinfo (CentrifyDC 5.4.1-455)

adinfo -V
Options:
-------
task: all
domain: null
output: null
additional paths: null
user: null
using user's credential cache: No
allow password prompt in kerberos get init credential: Yes
user's credential cache: null
server: null
Local host name:   server1
Joined to domain:  example.local
Joined as:         server1.example.local
Pre-win2K name:    server1
Current DC:        w2008dcbu.example.local
Preferred site:    Default-First-Site
Zone:              Auto Zone
  Retrieving site information from site=any, server='w2008dcbu.example.local'
  Using machine credentials
    Using principal name 'server1$@example.LOCAL'
  Binding to example.local, cache=MEMORY:1100d4bb0
  Searching for (&(samAccountName=server1$)(objectClass=computer))
             in dc=example,dc=LOCAL
  Found computer account: CN=server1,CN=Computers,DC=example,DC=local
Last password set: 2017-07-31 14:58:12 DFT
CentrifyDC mode:   connected
Licensed Features: Disabled

adinfo

Local host name:   server1
Joined to domain:  example.local
Joined as:         server1.example.local
Pre-win2K name:    server1
Current DC:        w2008dcbu.example.local
Preferred site:    Default-First-Site
Zone:              Auto Zone
Last password set: 2017-07-31 14:58:12 DFT
CentrifyDC mode:   connected
Licensed Features: Disabled

Good morning - I have a MAC that is running OS X El Capital 10.11.6, a GEMALTO DLGX4-A CAC card, and Centrify Express installed on my computer. 

Up until a few days ago, I was able to access all CAC enabled websites with no issues - but now I am getting an error that a secure connection cannot be established.  I have not made gotten a new CAC card or made any changes that I can think of to cause this error. 

I have already rebooted my system, unplugged and replugged in the CAC reader, uninstalled and reinstalled the software, verified all certificates. 

I would appreciate any assistance with helping me figure out the issue. 

Thank you!

Teresa